This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Tomer_Noy
Employee
Employee
‎2023-10-22 12:14 AM
In response to PhoneBoy

The actual behavior is different, so the above answer is partially inaccurate...

There is a bit of a mix-up between connection & session logs, and the Log Exporter aggregation setting.

1) Connection Logs - These are firewall access logs that are sent for every single connection.
2) Session Logs - These are "higher level" logs that combine multiple connection logs to a single session as long as they have identical matching attributes (source, destination, port, action, ...).

Both of these log types may receive updates.
A connection log is created immediately when a connection is first seen. Some connections are long lived and the gateway may gather more information about them over time. For example, identifying the user that originated the connection or how much traffic has passed so far (if Accounting is activated). This additional information is sent as partial log updates that only contains the fields that changed.
A session log is created immediately when the first connection of its type is created. Following that, the gateway will accumulate information from all connections that match this session over a default of 10 minutes, and will issue an update log for the session. This update log will usually include how many connections matched and possibly accounting information.

The log exporter has two options for exporting:
1) Raw (not unified) mode - in this case, it exports the fields that exist on the log. If this is an update log, you will have an exported log that has just a handful of fields.
2) Aggregated (semi-unified) - in this case, it still exports every arriving log, but before doing so, it will fetch the previous data it has for that log and will unify it into a single complete log (up to that point).

Both options will export every log, but the second is more useful since every log shows a complete picture of the connection / session. Also, in both options you need to be aware that you will have multiple logs in your SIEM for the same connection.

Unfortunately, we don't have an option today for a "full unified" mode where we only send the last log. This is mainly because the log server doesn't have a final indication that no more future updates will arrive. We are looking into adding this in our roadmap.

View solution in original post

(1)
Who rated this post